TD9980 - security hole - guest network and IPSec VPN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

TD9980 - security hole - guest network and IPSec VPN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TD9980 - security hole - guest network and IPSec VPN
TD9980 - security hole - guest network and IPSec VPN
2014-12-09 23:13:45
Region : UnitedKingdom

Model : TD-W8980

Hardware Version : V1

Firmware Version :

ISP :


NB - refers to TD9980 but not available in pick-list, so saved under 8980 (same hardware).

I want to report what I believe is a serious security flaw in the TD9980 guest network functionality. If the router has an IPSec tunnel configured to another site, a user on the guest network can access any device at the remote site!!!

e.g. I have a VPN tunnel connecting sites A and B, using a TD9980 at site A and a TD8960N at site B, if connected to the guest network at site A I cannot access local devices at site A (as expected) but I CAN access the router admin console and NAS file server at site B...!

The guest network must not allow access to network devices at the remote site!

I've sent an email to TPLink support, but I thought I'd also ask on here... is there any way to prevent it in the settings?
  0      
  0      
#1
Options
8 Reply
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-10 02:27:27
What do you want the Guest network to have access to and what do you want to prevent access to the guest network?
  0  
  0  
#2
Options
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-10 04:07:55
I want devices on the guest network to have access to the internet, and nothing else.

I have set the guest network as follows:
Allow Guests to access my Local Network = DISABLED
Allow Guests to access my USB Storage Sharing = DISABLED
Guest Network Isolation = ENABLED
Guest Network Bandwidth Control = DISABLED

It successfully isolates devices on the guest network from devices on the local data network, but it does NOT isolate them from devices on a remote network connected via an IPSec tunnel (on a separate sub-net). It seems the developers did not test the guest network in this scenario.
  0  
  0  
#3
Options
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-10 14:31:38
If your guest network ip addresses are handed out from the same dhcp ip address pool as your non-guest network then you may want to use an access list to accomplish what you are asking in your post.
Otherwise you should place your guest network on a separate subnet and create a second dhcp ip address pool just for them.
  0  
  0  
#4
Options
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-10 17:33:17
An access list is no good because once they are on the guest network they can access other devices on the remote network, which is not correct. There are settings to isolate guests from the data network and they simply don't work if you have an IPSec tunnel connecting to another site.

How is it possible to set up a separate DHCP pool for the guest network on a TD9980? I can't see any settings for that. You might as well say I should use a different router.
  0  
  0  
#5
Options
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-11 00:23:46
On a positive note, vpnrouter's suggestion has led me to a temporary solution - I've configured my old router as a guest wireless network, and found a way to segregate it from the data network (including remote sites) using the TD9980's "Interface Grouping" function to isolate the LAN port it is plugged into.

TD9980 firmware needs fixing to do this properly.
  0  
  0  
#6
Options
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-11 08:56:36

ash73 wrote

An access list is no good because once they are on the guest network they can access other devices on the remote network, which is not correct. There are settings to isolate guests from the data network and they simply don't work if you have an IPSec tunnel connecting to another site.

How is it possible to set up a separate DHCP pool for the guest network on a TD9980? I can't see any settings for that. You might as well say I should use a different router.

DHCP Server/Conditional Pool
  0  
  0  
#7
Options
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-11 21:13:29
Does anyone who can string more than one sentence together know how to configure DHCP conditional pool? It looks like it isolates based on client type, which is not what I want to do.

- How do you isolate one pool from the other?
- What is facility?
- What are options 241-245?
- What is the option value?

Using 2.4G for guest and 5G for data, and isolating 2.4G in a separate interface group looks the way to go, but haven't had chance to try it yet.
  0  
  0  
#8
Options
Re:TD9980 - security hole - guest network and IPSec VPN
2014-12-15 10:26:20
I sent you a private message.
  0  
  0  
#9
Options

Information

Helpful: 0

Views: 1167

Replies: 8

Related Articles